Monitor for Console Sign In Without Multi-factor Authentication (MFA)

This scenario walks you through how to use the AWS Management Console to create an Amazon CloudWatch alarm that is triggered when a console sign in is made without multi-factor authentication.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Choose Create Metric Filter.

  5. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following:

    { $.eventName = "ConsoleLogin" && $.additionalEventData.MFAUsed = "No" }

    Note

    For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of Filter and Pattern Syntax in the Amazon CloudWatch User Guide.

  6. Choose Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, in the Filter Name box, enter ConsoleSignInWithoutMfa

  7. Under Metric Details, in the Metric Namespace box, enter CloudTrailMetrics.

  8. In the Metric Name field, enter ConsoleSignInWithoutMfaCount.

  9. Choose Metric Value, and then type 1.

    Note

    If Metric Value does not appear, choose Show advanced metric settings first.

  10. When you are finished, choose Create Filter.

Example: Create an Alarm

These steps are a continuation of the previous steps for creating a metric filter.

  1. On the Filters for Log_Group_Name page, next to the filter name, choose Create Alarm.

  3. When you are finished, choose Create Alarm.

PreviousMonitor for API Activity Without Multi-factor Authentication (MFA)NextAdvanced AWS Forensics

Last updated